HackControl – cybersecurity consulting company, cyber security, penetration testing, security audit, brand protection, antiphishing, blockchain audit

Smart Contracts Code Review and Web Application Penetration Testing

Client

Yggdrasil is an ecosystem of DeFi applications with a native token, EDDA.

The Yggdrasil ecosystem consists of:

Challenge

The biggest challenge was to determine the correct functioning of the contract according to its specification and the vulnerabilities that could be exploited by an attacker.

Goals of Smart Contract Audit:

  1. Determine contract bugs that might lead to unexpected behaviour.
  2. Analyze whether the best practice was applied during contract development.
  3. Provide recommendations to improve contract security and readability.
  4. Inconsistency between specification and implementation.
  5. Identify defective design, logic, and access control.
  6. Check arithmetic overflow (integer overflow).
  7. Re-entrance, code injection, and denial of service attacks.
  8. Check loops for miner attacks on timestamps and orders, and transaction order dependency (TOD).

Solution

HackControl team has the smart contract scanned with static code analysis tools for security and manually verified vulnerabilities, and conducted a line-by-line analysis of the code.

The smart contracts were tested to check their business logic and blockchain interactions. The tests covered each contract and included different use cases.

Technical report with remedy recommendations was provided to improve contract security.

Web Application & API Penetration Testing

Challenge

The biggest challenge was to detect possible vulnerabilities and shortcomings that can lead to a violation of confidentiality, integrity, and availability of information, provoke incorrect system operations or lead to a denial of service, possible financial losses, economic risks or even failure of their token sale.

Goals of penetration testing:

Scope of penetration testing:

Solution

Hackcontrol carried out a penetration test of the client’s web application, infrastructure, and API using a generally accepted industry-wide approach to perform penetration testing of web applications (OWASP Testing Guide).

First, Hackcontrol collected information about the client’s IT systems that were going to be tested, performed automated vulnerability scanning to get security experts prepared for the next active phase.

Then Hackcontrol started an analysis of vulnerabilities and threats of the application and API. Detection of vulnerabilities in the systems and real attack simulation showed certain issues in the application.

Even though the application didn’t have a big IT infrastructure and their API was behind Cloudflare, Hackcontrol team found a way to detect vulnerabilities. If these were not found, the client would have faced issues in conducting their token sale.

Finally, a report with recommendations for improving customer’s security was provided.

Types of vulnerabilities & configurations checked by Hackcontrol:

Hackcontrol has made a list of recommendations to address the vulnerabilities and improve the client’s security.

Exit mobile version